New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow cbc, hmac and kex to be configured individually for client and server. #49

Merged
merged 3 commits into from Oct 14, 2014

Conversation

Projects
None yet
3 participants
@bkw
Contributor

bkw commented Oct 14, 2014

This PR deprecates require_cbc, weak_hmac and weak_kex from the ['ssh']attribute namespace and moves them to ['ssh']['client'] and ['ssh']['server'] instead.
The attributes in 'client' only affect the client, whereas 'server' affects only the configuration of the server.
I.e. node['ssh']['client']['weak_hmac'] only adds hmac_sha1 to the MACs of ssh_config without weakening the hmacs of the server in sshd_config, and so forth.

Real-world usecase: gitlab server with developers using Eclipse. For EGit we have to support hmac_sha1 on the server, but I don't want to allow that for the installed client.

The PR contains compat suport for the old attributes and tests to verify the precedence logic.

The reason why I don't let the client- and server-variants take precedence over the corresponding legacy value is that an existing chef client might still have the legacy value stored, and the user may not have noticed the new attributes yet.
Instead the following logic is applied (and documented in the code):

  • If one of the global legacy attributes is found with value of true and both client and server variants are both unaltered from their default value false, then the legacy attribute takes precedence and sets both to true.
  • If either one of the client or server values is true we assume the user has seen the new settings and ignore the legacy value
  • In any case where any of the legacy attributes is true, a warning is emitted, mentioning the fate of the value for both client and server configs.

TL;DR:
Please merge, everything will be fine ;-)

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Oct 14, 2014

Coverage Status

Coverage remained the same when pulling 7b6aca3 on bkw:splitWeakCipers into e288bc4 on TelekomLabs:master.

coveralls commented Oct 14, 2014

Coverage Status

Coverage remained the same when pulling 7b6aca3 on bkw:splitWeakCipers into e288bc4 on TelekomLabs:master.

@bkw bkw referenced this pull request Oct 14, 2014

Merged

make users data bag optional #50

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Oct 14, 2014

Coverage Status

Coverage remained the same when pulling 7d4722b on bkw:splitWeakCipers into 7bccda5 on TelekomLabs:master.

coveralls commented Oct 14, 2014

Coverage Status

Coverage remained the same when pulling 7d4722b on bkw:splitWeakCipers into 7bccda5 on TelekomLabs:master.

@bkw

This comment has been minimized.

Show comment
Hide comment
@bkw

bkw Oct 14, 2014

Contributor

rebased to current master.

Contributor

bkw commented Oct 14, 2014

rebased to current master.

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Oct 14, 2014

Member

this is a great improvement. thanks @bkw

Member

chris-rock commented Oct 14, 2014

this is a great improvement. thanks @bkw

chris-rock added a commit that referenced this pull request Oct 14, 2014

Merge pull request #49 from bkw/splitWeakCipers
allow cbc, hmac and kex to be configured individually for client and server.

@chris-rock chris-rock merged commit d569069 into dev-sec:master Oct 14, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

@chris-rock chris-rock referenced this pull request Oct 14, 2014

Closed

Harmonize API #53

@bkw bkw deleted the bkw:splitWeakCipers branch Oct 14, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment